ASAc on Cisco Catalyst 9000 Switch: Technical Deep Explore

Table of Contents

Table of Contents #

  1. Solution Overview
  2. ASAc on Cat9k
  3. Use Cases
  4. Deployment Options
  5. Catalyst Center Workflow
  6. CLI Workflow
  7. ASAc Troubleshooting
  8. ASAc Performance

1. Solution Overview #

The Cisco Adaptive Security Appliance Container (ASAc) provides a next-generation firewall solution that integrates directly into the Catalyst 9300 series switches. ASAc offers comprehensive security for today’s distributed networks, focusing on IT and OT convergence while eliminating the need for separate firewall appliances.

The growing need for distributed firewall architectures is driven by trends such as Industry 4.0, digital transformation, smart manufacturing, and the widespread use of IoT devices in enterprise environments. As networks become more complex and IoT devices become commonplace, perimeter security alone cannot provide adequate protection, making distributed firewalling a necessity.

Key Features: #

  • Stateful Inspection Firewall: Provides traffic inspection and policy enforcement between IT and OT domains.
  • Next-Generation Firewall (NGFW) Capabilities: Protects against threats like malware, botnets, DDoS, and privilege escalation.
  • Centralized Management: Integration with Cisco Defense Orchestrator (CDO) and Cisco Catalyst Center for simplified management.
  • Seamless Integration: Fully integrated into Cisco Catalyst 9300 switches, reducing the need for separate firewall appliances.

2. ASAc on Cat9k #

ASAc on Cisco Catalyst 9300 (Cat9k) offers the ability to deploy firewall services directly on switches in a Layer 3 routed mode. The solution leverages the hardware capabilities of the switch to provide scalable firewall services, supporting up to 10 logical interfaces and achieving throughput performance of up to 913 Mbps on Catalyst 9300X switches.

Technical Specifications: #

  • Firewall Mode: Routed Mode Firewall with up to 10 logical interfaces.
  • App Hosting Requirements:
  • vCPUs: 2 for Catalyst 9300, 4 for Catalyst 9300X.
  • RAM: 2GB for Catalyst 9300, 8GB for Catalyst 9300X.
  • AppGig Ports:
    • 1x1G for 9300,
    • 2x10G for 9300X.
  • Local Management:
  • CLI,
  • ASDM (Adaptive Security Device Manager),
  • REST API.
  • Supported Software:
  • IOS-XE 17.12.2,
  • ASA version 9.20.2.

Use of ASAv License: #

ASAc reuses an ASAv (Adaptive Security Virtual Appliance) license for feature parity, providing customers with a virtual firewall service that meets the security needs of distributed enterprises.

3. Use Cases #

ASAc is designed to meet the evolving security needs of modern enterprise networks, particularly in Industry 4.0, smart buildings, and IoT-heavy environments. Below are several use cases highlighting the flexibility and functionality of ASAc when deployed on Catalyst 9300 series switches.

Use Case 1: Simplified Smart Building Network Design #

With the rise of smart buildings, IoT devices such as network-powered lighting, HVAC controls, security cameras, and door locks are connected to the same IT infrastructure. These devices often operate in isolated environments and require firewall protection to prevent unauthorized access and malicious activity.

By deploying ASAc on Catalyst 9300 switches, organizations can:

  • Minimize network complexity by eliminating the need for complex tunnels to centralized firewalls.
  • Reduce latency by placing firewalls closer to the IoT devices.

Use Case 2: Stateful Inspection Across Zones #

In a manufacturing environment, different zones such as production lines, office spaces, and contractor networks require distinct security controls. Traditionally, this would require a separate firewall for each zone, adding to the operational overhead.

ASAc allows network administrators to:

  • Perform stateful inspection at the boundaries between these zones.
  • Converge physical firewalls into virtual containers on switches, simplifying network management.

Use Case 3: Connecting IoT Networks with Duplicate IP Addresses #

Legacy IoT devices often share the same default IP address ranges, making it difficult to integrate them into corporate networks without conflicts. ASAc can be used to:

  • Route traffic between different IoT subnets without requiring changes to the device configurations.
  • Perform Network Address Translation (NAT) to centralize the management of these IoT networks.

Use Case 4: Secure IPSec Tunnel Between IoT Networks #

IoT networks are often distributed across multiple sites, creating the need for secure communication over shared IT infrastructure. ASAc can establish IPSec tunnels to securely connect these IoT networks and encrypt their traffic as it traverses the IT network.

Use Case 5: On-Demand VPN for Operational Cameras #

With ASAc, organizations can deploy VPN services on-demand for operational devices like security cameras, ensuring that remote access to these devices is secure.

4. Deployment Options #

ASAc can be deployed on Catalyst 9300 series switches using multiple methods, depending on the specific needs of the network and available management tools. Below are the two primary deployment methods: Catalyst Center (GUI) and CLI-based deployment.

Hardware Resources: #

  • Catalyst 9300:
  • Requires 2 vCPUs, 2GB RAM, and 1x1G AppGig ports.
  • Catalyst 9300X:
  • Requires 4 vCPUs, 8GB RAM, and 2x10G AppGig ports.

Storage: #

  • USB SSD (120GB or 240GB) is required for application storage. This SSD must be inserted into the USB slot of the switch to store ASAc container data.

AppGig Ports: #

Dedicated AppGigEthernet ports are used to handle application traffic and connect ASAc to external networks. Ensure that these ports are properly configured for VLAN trunking and traffic forwarding.

5. Catalyst Center Workflow #

The Cisco Catalyst Center provides an intuitive graphical interface for deploying ASAc on Catalyst 9300 switches, allowing administrators to configure VLANs, interfaces, and firewall rules through a guided workflow.

Step-by-Step Workflow: #

  1. Create a Deployment Workflow:
  • Select the site where ASAc will be deployed.
  • Define the VLAN settings for management, inside, and outside interfaces.
  1. Upload ASAc Application:
  • Upload the ASAc application image to the Catalyst Center.
  • Select the appropriate switches for the deployment.
  1. Configure Application Resources:
  • Specify the number of vCPUs, RAM, and interface configurations.
  • Assign VLANs to the management, inside, and outside interfaces of ASAc.
  1. Activate and Deploy:
  • Activate the ASAc application on the selected switch(es).
  • Monitor the status of the deployment to ensure the firewall services are running.
  1. Ongoing Management:
  • Use Cisco Catalyst Center for ongoing management and troubleshooting of ASAc.

6. CLI Workflow #

For environments where command-line management is preferred, Cisco provides a CLI-based workflow for deploying ASAc on Catalyst 9300 switches. This method offers greater control and flexibility for network administrators who are comfortable with command-line configuration.

Step 1: Enable IOX and App Hosting #

  1. Enable IOX to support app hosting:
   conf t
   iox
  1. Configure the AppGigEthernet ports for VLAN trunking:
   interface AppGigabitEthernet 1/0/1
   switchport trunk allowed vlan <vlan-id>
   switchport mode trunk

Step 2: Install and Activate ASAc #

  1. Download the ASAc image from Cisco DevNet or Cisco’s software portal and install it on the switch:
   app-hosting install appid ASAc package flash:/<ASAc_image>
  1. Activate and start the ASAc application:
   app-hosting activate appid ASAc
   app-hosting start appid ASAc

Step 3: Configure Interfaces #

  1. Create the interface configuration file (interface-config):
   [interface0]
   iface_id = eth0;
   uio_driver = afpacket;

[interface1]

iface_id = eth1; uio_driver = afpacket;

[interface2]

iface_id = eth2; uio_driver = afpacket;

  1. Upload the configuration file to the usbflash1:/iox_host_data_share/ directory.

Step 4: Verify ASAc Status #

  1. Check the status of the ASAc application:
   show app-hosting list
  1. Verify the interface configuration:
   show interface ip brief

7. ASAc Troubleshooting #

When deploying and managing ASAc, administrators need tools to diagnose and resolve potential issues. Below are key troubleshooting methods and commands for resolving common ASAc issues.

Accessing ASAc Console #

Connect to the ASAc console via the switch CLI:

   app-hosting connect appid ASAc session

Useful Show Commands #

  • Check interface status:
   show interface ip brief
  • Show dropped packets:
   show asp drop
  • Gather technical support information:
   show tech-support

Debugging Packet Drops #

  1. Check for driver drops on the ASAc with:
   show controller
  1. Analyze interface drops or underrun errors with:
   show interface
  1. Perform real-time packet capture on ASAc inside interfaces:
   capture <capture name> interface <interface name> real-time

8. ASAc Performance #

Performance metrics for ASAc deployed on Catalyst 9300 switches provide insight into how the firewall operates under different conditions, based on packet size and the number of vCPUs allocated to the application.

Performance Numbers for C9300 #

  • Max Connections Per Second (CPS): 8,000.
  • Concurrent Connections: 1 million.
  • Throughput (450-byte TCP packets):
  • C9300 with 2 vCPUs: 589 Mbps.
  • C9300X with 4 vCPUs: 913 Mbps.

These performance figures demonstrate that ASAc, when hosted on Catalyst 9300 series switches, provides enterprise-level throughput and scalability suitable for modern networks.